ansible-role-win_openssh icon indicating copy to clipboard operation
ansible-role-win_openssh copied to clipboard

Published 20 hours ago verified publisher icon jborean93

SSH Hardening Option

Open anwilson6 opened this issue 2 years ago • 2 comments

Changing the default SSHD_Config by adding a list of keys allowed under Ciphers and Keying will harden Open SSH.

anwilson6 avatar Jun 29 '22 17:06 anwilson6

Sorry for the delay in getting to this PR. I'm not against adding the code to set these 3 options but I am slightly concerned that the maintainability of this going forward. I'm no expert in SSH and the options specified here so I wouldn't know when these options become out of date and when they should be updated.

I'm also concerned that these options may only be supported by certain sshd versions and trying to install an older version with a newer algorithm would cause a failure in starting up sshd. If sshd just ignores algorithms it doesn't know about then that's good but I just don't know what the current behaviour is.

The last thing is I've tried to set up most of the config tasks to detect if the option is also specified. The current PR will just add these lines after the # Ciphers and keying key if they are not present but won't be able to detect if the option itself is already present. Normally this isn't a problem as this role is mostly used to install OpenSSH and the default config doesn't contain any of these entries but that may change in the future. We could add the regexp: '^#?Ciphers\s+' value so it will replace what is already there but I'm unsure if this is the behaviour we really want.

jborean93 avatar Jul 10 '22 23:07 jborean93

On the default state it is commented out. I considered doing a loop.

  • name: Change allowed ciphers in sshd_config_default win_lineinfile: path: '{{ opt_openssh_install_path }}\sshd_config_default' insertafter: '^# Ciphers and keying' line: "{{ item }}" loop: "{{ opt_openssh_ciphers_keying }}" when: opt_openssh_cipher_hardening ignore_errors: '{{ ansible_check_mode }}' Defaults: opt_openssh_ciphers_keying:
    • Ciphers @.@.@.***,aes256-ctr,aes192-ctr
    • MACs @.@.@.***,hmac-sha2-512,hmac-sha2-256
    • KexAlgorithms @.***,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Then you could just change ciphers with no PR.

But the way I wrote it, you can just change ciphers in the play book as needed.

Let me know.

Sent from Workspace ONE Boxer

On Jul 10, 2022 6:33 PM, Jordan Borean @.***> wrote:

⚠ External Email

Sorry for the delay in getting to this PR. I'm not against adding the code to set these 3 options but I am slightly concerned that the maintainability of this going forward. I'm no expert in SSH and the options specified here so I wouldn't know when these options become out of date and when they should be updated.

I'm also concerned that these options may only be supported by certain sshd versions and trying to install an older version with a newer algorithm would cause a failure in starting up sshd. If sshd just ignores algorithms it doesn't know about then that's good but I just don't know what the current behaviour is.

The last thing is I've tried to set up most of the config tasks to detect if the option is also specified. The current PR will just add these lines after the # Ciphers and keying key if they are not present but won't be able to detect if the option itself is already present. Normally this isn't a problem as this role is mostly used to install OpenSSH and the default config doesn't contain any of these entries but that may change in the future. We could add the regexp: '^#?Ciphers\s+' value so it will replace what is already there but I'm unsure if this is the behaviour we really want.

— Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fjborean93%2Fansible-role-win_openssh%2Fpull%2F19%23issuecomment-1179823815&data=05%7C01%7Canwilson%40vmware.com%7C55e6016f5d174da1af6a08da62cc92d1%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637930928032113310%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=eEJdVAJrzo%2BJ4ArW4lyPZzpjkt1JE48qhkoQkLn8g2s%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAZ2WHJTC2YVQDE246IRQ3MTVTNMT7ANCNFSM52GR6SFA&data=05%7C01%7Canwilson%40vmware.com%7C55e6016f5d174da1af6a08da62cc92d1%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637930928032113310%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7%2FWrGD8cuMu%2FyEd6GR6Z59Um6wrWlut79a3DOQDA6I0%3D&reserved=0. You are receiving this because you authored the thread.Message ID: @.***>

⚠ External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender.

anwilson6 avatar Jul 11 '22 00:07 anwilson6